Bug 2163037 (CVE-2022-3064)

Summary: CVE-2022-3064 go-yaml: Improve heuristics preventing CPU/memory abuse by parsing malicious or large YAML documents
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, abenaiss, abishop, adudiak, alitke, amackenz, amasferr, amctagga, ansmith, aoconnor, bbaude, bbuckingham, bcl, bcoca, bcourt, bdettelb, bkundu, bniver, btotty, chazlett, cmarinea, cwelton, davidn, dcadzow, debarshir, desktop-qa-list, dfreiber, dwalsh, dymurray, eaguilar, ebaron, eglynn, ehelms, ellin, epacific, fdeutsch, fjansen, flucifre, gmeno, gparvin, grafana-maint, hhorak, ibolton, jaharrin, jburrell, jcammara, jcantril, jchui, jeder, jhardy, jjoyce, jkang, jkurik, jligon, jmatthew, jmontleo, jneedle, jnovy, jobarker, jorton, jpallich, jshaughn, jsherril, jwendell, jwon, kshier, lball, lgamliel, lhh, lmadsen, lsm5, lzap, mabashia, matzew, mbenjamin, mboddu, mburns, mcressma, mfilanov, mgarciac, mhackett, mheon, mhulan, mkudlej, mokumar, mrunge, muagarwa, mwringe, nalin, nathans, nboldt, njean, nmoumoul, nobody, ocs-bugs, orabin, oramraz, osapryki, osbuilders, oskutka, owatkins, pahickey, pakotvan, pcreech, pehunt, periklis, phoracek, pjindal, pknezevi, pthomas, rcernich, rchan, rfreiman, rgarg, rhcos-sst, rhos-maint, rhuss, rogbas, rrajasek, saroy, scorneli, scox, sfroberg, sgott, shbose, simaishi, slucidi, smcdonal, smullick, sostapov, spower, sseago, stcannon, stirabos, teagle, tfister, thrcka, tjochec, tnielsen, tsweeney, twalsh, ubhargav, umohnani, vereddy, vkumar, whayutin, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gopkg.in/yaml.v2 2.2.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in go-yaml. This issue causes the consumption of excessive amounts of CPU or memory when attempting to parse a large or maliciously crafted YAML document.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-03-15 23:32:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2163540, 2163541, 2163542, 2163553, 2163539, 2163543, 2163544, 2163545, 2163546, 2163547, 2163548, 2163549, 2163550, 2163551, 2163552, 2163555, 2163556, 2163557, 2163558, 2163560, 2164213, 2164540, 2164979, 2164980, 2164981, 2164982, 2164983, 2164984, 2165601, 2165602    
Bug Blocks: 2156736    

Description Avinash Hanwate 2023-01-23 04:54:14 UTC 
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory.

https://github.com/go-yaml/yaml/releases/tag/v2.2.4
https://pkg.go.dev/vuln/GO-2022-0956
https://github.com/go-yaml/yaml/commit/f221b8435cfb71e54062f6c6e99e9ade30b124d5
Comment 3 Anten Skrabec 2023-01-23 21:45:37 UTC 
Created caddy tracking bugs for this issue:

Affects: epel-all [bug 2163539]


Created etcd tracking bugs for this issue:

Affects: openstack-rdo [bug 2163553]


Created exercism tracking bugs for this issue:

Affects: fedora-all [bug 2163543]


Created gmailctl tracking bugs for this issue:

Affects: fedora-all [bug 2163544]


Created golang-github-francoispqt-gojay tracking bugs for this issue:

Affects: fedora-all [bug 2163545]


Created golang-github-grpc-ecosystem-gateway tracking bugs for this issue:

Affects: fedora-all [bug 2163546]


Created golang-github-instrumenta-kubeval tracking bugs for this issue:

Affects: fedora-all [bug 2163547]


Created golang-gopkg-yaml tracking bugs for this issue:

Affects: epel-all [bug 2163540]


Created golie tracking bugs for this issue:

Affects: epel-all [bug 2163541]


Created kompose tracking bugs for this issue:

Affects: epel-all [bug 2163542]
Affects: fedora-all [bug 2163548]


Created manifest-tool tracking bugs for this issue:

Affects: fedora-all [bug 2163549]


Created moby-engine tracking bugs for this issue:

Affects: fedora-all [bug 2163550]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2163551]


Created yggdrasil tracking bugs for this issue:

Affects: fedora-all [bug 2163552]
Comment 9 Anten Skrabec 2023-01-24 19:11:29 UTC 
Created caddy tracking bugs for this issue:

Affects: epel-all [bug 2164213]
Comment 22 errata-xmlrpc 2023-02-15 15:43:54 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:0698 https://access.redhat.com/errata/RHSA-2023:0698
Comment 23 errata-xmlrpc 2023-02-17 03:32:42 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.6

Via RHSA-2023:0802 https://access.redhat.com/errata/RHSA-2023:0802
Comment 24 errata-xmlrpc 2023-02-17 03:46:21 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.7

Via RHSA-2023:0803 https://access.redhat.com/errata/RHSA-2023:0803
Comment 25 errata-xmlrpc 2023-02-17 04:12:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.5

Via RHSA-2023:0804 https://access.redhat.com/errata/RHSA-2023:0804
Comment 28 errata-xmlrpc 2023-02-22 23:50:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:0778 https://access.redhat.com/errata/RHSA-2023:0778
Comment 29 errata-xmlrpc 2023-02-28 15:47:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.0

Via RHSA-2023:1014 https://access.redhat.com/errata/RHSA-2023:1014
Comment 30 errata-xmlrpc 2023-03-01 09:00:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:0899 https://access.redhat.com/errata/RHSA-2023:0899
Comment 33 errata-xmlrpc 2023-03-15 19:56:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 16.1
  Red Hat OpenStack Platform 16.2

Via RHSA-2023:1275 https://access.redhat.com/errata/RHSA-2023:1275
Comment 34 Product Security DevOps Team 2023-03-15 23:31:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-3064
Comment 35 errata-xmlrpc 2023-05-10 05:17:14 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:2111 https://access.redhat.com/errata/RHSA-2023:2111
Comment 36 errata-xmlrpc 2023-05-18 03:09:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:2695 https://access.redhat.com/errata/RHSA-2023:2695
Comment 37 errata-xmlrpc 2023-05-24 07:09:08 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:3218 https://access.redhat.com/errata/RHSA-2023:3218
Comment 38 errata-xmlrpc 2023-10-31 12:54:23 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5006 https://access.redhat.com/errata/RHSA-2023:5006
Comment 39 errata-xmlrpc 2023-11-07 08:13:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6346 https://access.redhat.com/errata/RHSA-2023:6346
Comment 40 errata-xmlrpc 2023-11-14 15:16:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6938 https://access.redhat.com/errata/RHSA-2023:6938
Comment 41 errata-xmlrpc 2023-11-14 15:16:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939
Comment 42 errata-xmlrpc 2024-02-14 06:34:09 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0741 https://access.redhat.com/errata/RHSA-2024:0741